Our issue with Gerrit remains the same, it assumes it has direct control of the canonical repo and we have drawn the line for ANY services running on our repo servers to ensure that they are secure, highly available at all times, and provide a traceable audit trail for all commits. This does not mean that we have said no to Gerrit, just not on our primary git servers.
Their are projects running their own external Gerrit, but all commits occur against git-wip still. Both Apache Impala and Apache Kudu use a similar push_to_asf.py script  for committers post review to accept and push with. This is no different than the projects using Github or reviewboard and having similar scripts. There is an effort underway to allow Github to be canonical, but that is still limited in scope for testing as we prove it out.
If there are any suggestions or interest in helping setup/puppetize a potential Gerrit service for ASF projects I would encourage you to start a discuss thread on our firstname.lastname@example.org
mailing list. This POC would not be able to run on our primary git servers and would need to be under a similar set of conditions to what our current Github POC is operating with.